A data breach at Critical Care, Pulmonary & Sleep Associates (CCPSA) in Colorado has impacted over 23,300 patients. CCPSA detected the email account breach on November 23, 2018 when the email account was used to send phishing emails to people in the employee’s contact list. The emails requested payments be made to an account controlled by the attacker.

The account was immediately blocked to prevent further unauthorized activity and all email accounts had their passwords reset. Users were asked to create new, strong passwords. CCPSA hired a third-party computer forensics company to investigate the incident and find out the extent of the breach. The investigation came to a conclusion on December 14, 2018.

As per the investigation findings, the attacker accessed several email accounts from August 14 to November 23, 2018. The data breach only affected the email system. The medical record system remained secure.

CCPSA had implemented safeguards to prevent phishing attacks, although they were insufficient to prevent the attack. Further safeguards have now been implemented to improve security, changes were made to network access by authorized persons, the IT department changed some rules related to the computer systems and the entire workforce had to undergo further training on security awareness.

The Department of Health and Human Services’ Office for Civil Rights posted a breach summary on its breach portal indicating the ePHI of 23,377 people was exposed.